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Abstract 

In this paper, we introduce a new quantum bit commitment protocol which is prac- 
tically secure against entanglement attacks. A general cheating strategy is discussed 
and shown to be practically ineffective against the proposed approach. 

1 Introduction 

Quantum cryptography in the sense of key distribution was first introduced in [I] with the 
BB84 protocol. The authors also proposed a bit commitment scheme which they determined 
was not secure. Construction of an unconditionally secure quantum bit commitment tech- 
nique has since become an important research problem. There have been many commitment 
schemes created, as well as a number of results on the impossibility of secure commitment 
[2] [6] [7j- Even teleportation has been considered to achieve unconditional security [3]. 
Recently, "practically" secure commitment schemes [I] have been examined, rather than 
asymptotically secure protocols. 

Consider a two party (Alice and Bob) bit commitment. Alice chooses a bit b € {0, 1}, 
locks it and sends it to Bob (this is called the commitment phase). When it is time to 
reveal b (opening phase), Bob locks the bit with his own lock (i.e., he locks the bit locked 
by Alice), and sends it back to Alice. She then opens her lock and sends the bit back to 
Bob and announces b. Bob then opens his lock and checks whether the locked bit b is the 
same as the one which was announced. 

Here we propose a simple scheme using the principles of the well-known Diffie-Hellman 

key exchange protocol (details of this protocol can be found in [5]). However, we employ 

multiplication by a unitary transform instead of exponentiation in a multiplicative group 

modulo a prime. Although this commitment scheme also falls within the category for which 

entanglement cheating is a proof of insecurity, (since it satisfies the criteria based on the 

simplified Yao model [8] as described in [7]), it is practically very hard for Alice to cheat. 

This is due to the fact that building the unitary transform required to apply on her share 

of the entangled pair is practically infeasible, as will be shown. 

Before presenting our bit-commitment protocol, we first define practical security. For 
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this, we need the following. 



Binding Experiment (BE) 

• Alice and Bob share a system Ha ® Hg and a protocol II for which the final state 
before the opening phase is pab 6 Ha <S> Hb 

• A cheating Alice performs the operation A ® I [pab] an d reveals b <—r {0, 1} to Bob. 
(A is a trace preserving operation) 

• Bob then performs the operation (actually a measurement) / <S> B[pab] to obtain b' . 

• The outcome of the experiment is 1 (success) if b = b' and (fail) otherwise. 

Definition 1.1 A protocol tt is computationally binding (CB) if for all polynomial time 
quantum operations Alice can perform we have ~Px[BE^(l n ) = 1] < \ + negl(n), where 
negl(n) is a negligible function of the secrecy parameter n. 

Proposition 1.2 If a protocol is CB then there is no collection of circuits {Q x \ x S S} 
( where S is any string ) which can be generated in polynomial time that can approximate the 
operation A. 

Proof. The proof is obvious given the definition. □ 
Achieving CB security is a general task and Alice may employ different approaches in an 
attempt to compromise the security of a protocol. One important case is an EPR attack 
by Alice. EPR attacks [7] have been proven to make all quantum bit commitment schemes 
theoretically insecure. Therefore we introduce the notion of EPR-Computationally Binding 
(EPR-CB). 

Definition 1.3 A protocol tt is EPR-Computationally Binding (EPR-CB) if for all poly- 
nomial time quantum operations by Alice, we have Vi[BE^{\ n ) = 1] < ^ + negl(n), where 
negl(n) is a negligible function of the secrecy parameter n. Note that Alice is only capable of 
entangling an ancillary system in the corresponding Hilbert space, and can perform unitary 
transforms and POVM(Positive Operator Valued Measure) measurements on her part before 
the opening phase. 



Proposition 1.4 CB is equivalent to EPR-CB if a cheating Alice can extend any system 
to a larger system in polynomial time. 

Proof. Obviously, any EPR-CB protocol is also CB. It is known that all trace preserving 
quantum operations on a Hilbert space can be extended to a higher dimensional system in 
which these operations can be reduced to a unitary transform. Therefore, a cheating Alice 
can extend a system and then perform a unitary transform. A general CB experiment on a 
Hilbert space H n is equivalent to a (unitary and POVM)-CB experiment on a Hilbert space 
H m where m > n. Therefore EPR-CB security is equivalent to CB security. □ 
Note that this proof is important as it connects the concept of binding to EPR security. 

Definition 1.5 An ensemble of protocols H = {iti,--- , 7r n } is computationally binding 
(CB) if all TTiGU are CB. 

This definition is needed because if there is only one protocol for which the bit commitment 
is CB, a cheating Alice can prepare the necessary circuit for changing the qubit in advance 
and use it at the time of commitment. 

2 The Proposed Bit Commitment Protocol 

In this section, we present the proposed method of bit commitment. With this protocol, 
each party prepares a secret unitary operator. It is assumed that a quantum channel as well 
as a classical side-channel are available, as with other bit commitment schemes. The qubits 
are exchanged through the quantum channel, while the side-channel is used to exchange 
the secret unitary operators in the opening phase. The proposal can then be described as 
follows. 

• Commitment Phase: 

- Bob prepares two previously agreed upon orthogonal states |</>o), \(j>i), and applies 
his secret transform Ub on them. He sends these to Alice and tells her which to 
use if she wants to commit or 1. 
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- Alice prepares Ua-Ub \ <t>o) or Ua-Ub\4>i) and sends \<p) G {Ua-Ub\4>o), Ua-Ub\4>i)} 
back to Bob depending on the bit she wants to share. 

• Opening Phase: 

- Alice reveals her unitary transform U a to Bob through the classical channel. 

- Bob computes \ip) = Ub-Ua\4>) and checks if it agrees with the committed qubit. 

Note that the secret unitary transforms can be chosen at random from a continuous subset 
of the unitary group. As an example, we can assume that \(f>o) = |0) and |0i) = |1), and 
Ua, Ub £ {Rx{0)-,Ry{Q),Rz{6)} where R x (9) is a rotation about the x axis with an angle 0. 

3 Security and Cheating Strategies 

One approach for Alice to attempt to cheat is to apply a unitary transform Ua during 
the committing phase but then send V ■ Ua during the opening phase (where V is another 
unitary transform), such that when Bob tries to open the commitment he receives a bit 
other than the one which was committed (say Alice has committed |(^>o) but now wants Bob 
to open \4>i)). For Alice to be successful in cheating, the following must be true for the last 
step of the opening phase 

\^) = U B -V-U A - U a .U b \4>o) = \<t>i) =>U B -V-U B = \(/>i)(4>o\ 

This shows that Alice can construct such a transform V only if she knows the secret trans- 
form of Bob. By a similar analysis, Bob also cannot determine the state \<pi) if he knows 

u A -u B \<t>i). 

3.1 Practical security against an EPR (entanglement) attack 

Let | A) and \B) denote the uniform superposition of all possible Ua and Ub on |<^>j}. In 

other words, assuming Ua and Ub are controlled gates and \A) and \B) the corresponding 

control registers, we have a register (\A) or \B)) which is a superposition of all possible 

choices of the unitary transformations by Alice and Bob. Considering these registers at the 
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end of the commitment phase, we have 



IVt>> = Eb \B)U A U B \<h) ® 17a?7b|0i)|A> 
|-0i> = Ea E b |£)^aWi) ® U A U B \4> Q )\A), 

where |V>o) denotes and |V>i) denotes 1. In each state, the component on the right side of 
the tensor product is possessed by Alice. Now, if the protocol is secure against Bob then 
the local trace over the system components of Alice must be equal for both |t/>o) an d IV'i)- 
As a result, regarding the Schmidt decomposition we have a unitary transform V on Alice's 
side which can take values from |^o) to In order for Alice to produce V, she must 

know all possible choices for Ub (but she does not need to know a particular choice of U B )- 
The existence of V shows that the protocol is not theoretically secure, but the two parties 
can hide their sets of unitary transforms and make the protocol practically secure against 
an entanglement attack. 

4 Conclusions 

In this paper, we proposed a simple but secure bit commitment protocol which is based on 
the application of secret unitary transforms by each party (Alice and Bob) in succession. 
Cheating strategies, including entanglement cheating, were examined and the system was 
shown to be effective against these attacks. 
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